Installing Mainframe Connector Using SMP/E
This section describes the Mainframe Connector installation process using SMP/E to manage the install.
Creating distribution library and target load library
SMP/E processing loads the distribution and target libraries. The distribution library is used to maintain Mainframe Connector . It contains the distributed load modules for your Mainframe Connector system and can be used for backup. The target library contains all the executable modules needed to run Mainframe Connector .
A sample job for defining your SMP/E environment is provided in member SMPDEF of the .INSTLIB dataset. Modify and execute this job and expect a return code of zero. In modifying, note that it is STRONGLY recommended that separate SMP/E datasets be defined for Mainframe Connector . If you choose not to define separate SMP/E datasets, then the following restrictions will apply to the subsequent installation process:
Mainframe Connector cannot be installed into the SMP/E zone in which the MOD or LMOD EDC400F9 is installed.
If your installation is running ACF2, then Mainframe Connector cannot be installed into the SMP/E zone in which ACF2 is installed.
SMP/E receive processing
You are now ready to do the RECEIVE. A sample job is provided in member SMPREC of the .INSTLIB dataset. You should expect a return code of zero. Any other return code should be investigated.
SMP/E apply processing
Having received the installation data into your global zone, you can now apply the Mainframe Connector base product into your target library. A sample job is provided in member SMPAPP of the install dataset. You should expect a return code of four. The following SMP/E warning messages are expected from the APPLY process:
GIM43401W MODULE modname IN SYSMOD MFC7030 WAS NOT INSTALLED
IN ANY TARGET LIBRARY.Where modname indicates a module name that has not been specifically used in the SMP/E install process, but may be a module used by a stand-alone linkedit job or a module that could be used for diagnostic purposes.
Best practice
It is always wise to run an APPLY/CHECK first to uncover potential errors without actually updating any libraries. SMP/E produces reports that can be used to investigate potential problems.
Apply Mainframe Connector maintenance
If an SMPPTFIN file was sent with the Mainframe Connector installation package it should be SMP/E RECEIVEd and APPLYd at this time. The SMPPTFIN file will contain the accumulated maintenance for Mainframe Connector that has not been included in the base installation. Members PTFREC and PTFAPP in the install dataset provide sample jobs for receiving and applying the Mainframe Connector maintenance.
Installing the Mainframe Connector ACF2 Function
The following sections apply when running Mainframe Connector on a system that uses ACF2 for its security product.
SMP/E update
A sample job for updating the SMP/E environment in preparation for ACF2 SMP/E installation is provided in member ACF2DEF of the install dataset. Modify and execute this job and expect a return code of zero.
SMP/E receive
A sample job to SMP/E RECEIVE the Mainframe Connector ACF2 function dependent sysmod is provided in member ACF2REC of the install dataset. Make the necessary changes to the sample job. You should expect a return code of zero from this job. Any other return code should be investigated.
SMP/E apply
When the ACF2REC job has completed, you can now apply the Mainframe Connector ACF2 sysmod into your target library. A sample job to SMP/E APPLY this sysmod is provided in member ACF2APP of the install dataset. You should expect a return code of four.
Best practice
It is always wise to run an APPLY/CHECK first to uncover potential errors without actually updating any libraries. SMP/E produces reports that can be used to investigate potential problems.
Installing the password change exit
RACF - Installing the RACF password exit ICHPWX01
Upon completion of the SMP/E apply for the base FUNCTION, the RACF password change exit ICHPWX01 can be installed. Member UMDPWX1 in the Mainframe Connector installation library has been provided as a sample to perform this task.
Note
You will only need to install the RACF ICHPWX01 exit if you will be using your z/OS system as a Bravura Pass transparent synchronization trigger system.
The USERMOD should be installed in the same SMP/E environment that contains the RACF base FUNCTION. The sample job in UMDPWX1 will install the USERMOD into the z/OS SMP/E environment and place an updated version of ICHPWX01 into SYS1.LPALIB . The object code for ICHPWX01 is contained in member ICHPWX01 in the Mainframe Connector installation library. It should be moved to a site specific library that is used to maintain USERMOD object code.
If you choose not to install ICHPWX01 into SYS1.LPALIB , it must be installed into a library that is contained in the LPALSTxx concatenation.
You should expect a return code of zero from the UMDPWX1 job. Any other return code should be investigated.
If the ICHPWX01 exit is already being used for other functions, see Password Change Notification Exit Conflict for options for creating a multi-function ICHPWX01 exit.
Restarting the z/OS Image
To enable the Mainframe Connector functionality in the RACF password exit ICHPWX01 , a system IPL (Initial Program Load) must be performed. Make sure that the IPL occurs with a CLPA option. This will cause the system Link Pack Area to be re-initialized and will load a new copy of ICHPWX01 for use by RACF.
RACF - Installing the RACF pass phrase exit ICHPWX11
Upon completion of the SMP/E apply for the base FUNCTION, the RACF pass phrase change exit ICHPWX11 can be installed. Member UMDPH11 in the Mainframe Connector installation library has been provided as a sample to perform this task.
Note
You will only need to install the RACF ICHPWX11 exit if you will be using your z/OS system as a Bravura Pass transparent synchronization trigger system for RACF pass phrase changes.
The USERMOD should be installed in the same SMP/E environment that contains the RACF base FUNCTION. The sample job in UMDPH11 will install the USERMOD into the z/OS SMP/E environment and place an updated version of ICHPWX11 into SYS1.LPALIB . The object code for ICHPWX11 is contained in member ICHPWX11 in the Mainframe Connector installation library. It should be moved to a site specific library that is used to maintain USERMOD object code.
If you choose not to install ICHPWX11 into SYS1.LPALIB , it must be installed into a library that is contained in the LPALSTxx concatenation.
You should expect a return code of zero from the UMDPH11 job. Any other return code should be investigated.
If the ICHPWX11 exit is already being used for other functions, see Password Change Notification Exit Conflict for options for creating a multi-function ICHPWX11 exit.
Restarting the z/OS Image
To enable the Mainframe Connector functionality in the RACF pass phrase exit ICHPWX11 , a system IPL (Initial Program Load) must be performed. Make sure that the IPL occurs with a CLPA option. This will cause the system Link Pack Area to be re-initialized and will load a new copy of ICHPWX11 for use by RACF.
ACF2 - Installing the ACF2 password exit NEWPXIT
Upon completion of the SMP/E apply for the base FUNCTION, the ACF2 password change exit NEWPXIT can be installed. Member UMDNPX1 in the Mainframe Connector installation library has been provided as a sample to perform this task.
Note
You will only need to install the ACF2 NEWPXIT exit if you will be using your z/OS system as a Bravura Pass transparent synchronization trigger system.
The USERMOD should be installed in the same SMP/E environment that contains the ACF2 base FUNCTION. The sample job in UMDNPX1 will install the USERMOD into the z/OS SMP/E environment and place an updated version of NEWPXIT into SYS1.LPALIB . The object code for NEWPXIT is contained in member NEWPXIT in the Mainframe Connector installation library. It should be moved to a site specific library that is used to maintain USERMOD object code.
If you choose not to install NEWPXIT into SYS1.LPALIB , it must be installed into a library that is contained in the LPALSTxx concatenation.
You should expect a return code of zero from the UMDNPX1 job. Any other return code should be investigated.
If the NEWPXIT exit is already being used for other functions, see Password Change Notification Exit Conflict for options for creating a multi-function NEWPXIT exit.
Restarting the z/OS Image
To enable the Mainframe Connector functionality in the ACF2 password exit NEWPXIT , a system IPL (Initial Program Load) must be performed. Make sure that the IPL occurs with a CLPA option. This will cause the system Link Pack Area to be re-initialized and will load a new copy of NEWPXIT for use by ACF2. The ACF2 EXIT GSO record should also be updated to reflect that NEWPXIT is to be active. Contact the ACF2 administrator to have this entry updated in the ACF2 environment.
TopSecret - Installing the TopSecret password exit TSSINSTX
Upon completion of the SMP/E apply for the base FUNCTION, the TopSecret password change exit TSSINSTX can be installed. Member UMDTSX1 in the Mainframe Connector installation library has been provided as a sample to perform this task.
Note
You will only need to install the TopSecret TSSINSTX exit if you will be using your z/OS system as a Bravura Pass transparent synchronization trigger system.
The USERMOD should be installed in the same SMP/E environment that contains the TopSecret base FUNCTION. The sample job in UMDTSX1 will install the USERMOD into the z/OS SMP/E environment and place an updated version of TSSINSTX into SYS1.LINKLIB . The object code for TSSINSTX is contained in members TSSEXITN and TSSPWXIT in the Mainframe Connector installation library. They should be moved to a site specific library that is used to maintain USERMOD object code.
If you choose not to install TSSINSTX into SYS1.LINKLIB , it must be installed into a library that is contained in the LNKLSTxx concatenation.
You should expect a return code of zero from the UMDTSX1 job. Any other return code should be investigated.
If the TSSINSTX exit is already being used for other functions, contact Bravura Security technical support to discuss available options.
If TSSINSTX has been dynamically installed into a linklist dataset of an active z/OS system, a refresh of LLA will be necessary to activate the new module. This can be accomplished with the following z/OS operator command:
F LLA,REFRESH
Enabling TSSINSTX
To enable the Mainframe Connector functionality in the TopSecret password exit TSSINSTX , the exit must be enabled to TopSecret. This can occur dynamically with a z/OS operator command. The following command can be used to enable the TopSecret installation exit:
F TSS,EXIT(ON)
The above command will cause TSSINSTX to be enabled within TopSecret. TSSINSTX must reside somewhere within the current active z/OS linklist for the above modify command to be successful.
SMP/E accept processing
Once it is determined that the status of Mainframe Connector is stable, an SMP/E ACCEPT should be performed for the Mainframe Connector base function.
The ACCEPT job installs Mainframe Connector into the distribution library which is used for backup. This process is similar to APPLY processing. The major difference is that it is irreversible so be sure that you are satisfied with the installation of Mainframe Connector before performing this step.
A sample job is provided in member SMPACC of the install dataset. You should expect a return code of zero. Any other return code should be investigated.
Accepting the Mainframe Connector ACF2 Function
This section pertains only to those customers who will be running Mainframe Connector on a system that uses ACF2 for its security product.
Mainframe Connector ACF2 Function ACCEPT
As with the Mainframe Connector base function, after it has been determined that the status of Mainframe Connector is stable, an SMP/E ACCEPT should be performed for the Mainframe Connector ACF2 dependent function.
A sample job is provided in member ACF2ACC of the install dataset. You should expect a return code of zero. Any other return code should be investigated.